Security bosses seek to dissolve encryption bans: An international security consortium is set to lobby governments around the world to withdraw restrictions on encryption standards.
The Jericho Forum, whose membership includes many chief security officers from FTSE 100 companies, will push for the removal of encryption restrictions within the next three-to-five years.
The odd thing about this is that it comes at a time in which governments are making noises about wanting more wiretaps and more control (see e.g. the move to make VOIP and thus in effect every Internet communication easily tapped). And in the background are complaints about encryption.
On the other hand, one gets the impression that government cracking technology available to civilian law enforcement has taken some leaps forward lately, which can only make you wonder what the NSA is holding back.
I think it’s probably because the NSA has shifted gears from directly cracking cryptography to cracking the implementation.
Here’s an example: KeePass, a fantastic password safe program. You can read the site, read the code, whatever you want, the author and contributors clearly know what they’re doing, are clearly ahead of the game (they were ahead of the SHA-1 crack, and used SHA-256 instead), and know enough about cryptography to implement creative solutions like configurable rounds of initial user key hashing, which makes a brute force attack much harder.
But it has a problem, like most password safes: if you choose to unmask the password in a database, the password will enter the program’s process in plaintext. If Windows happens to write this information from memory into the pagefile, a plaintext copy of the password will sit on the harddrive for an indefinite amount of time, until it happens to be written over enough to be securely ‘deleted.’
In KeePass’ defense, it’s still in Beta, and many other programs have or have had the same problem (the granddaddy of these, Password Safe, doesn’t seem to). But these are skilled, knowledgable programs working in open source. Even worse, though, not one of these programs I’ve seen masks all of the information in memory, they’ll at least show usernames and/or comments, because to encrypt all of it in memory would require everyone use a top-of-the-line computer and be patient with the software. Even in an organization like Al Qaeda that cannot be expected; it certainly can’t be expected by the North Korea government with their limited resources.
In the end, I really don’t think it’s about the direct cracking of the math anymore. If you TrueCrypt your harddrive with a 50-character password using AES-Serpent-Twofish, your data is probably mathematically secure far beyond the point at which it could possibly be relevant. The question is more if your password gets picked up somewhere, if there’s some implementation problem with the security. The few whispers we’ve heard from the NSA point to this being the case, with an increase reliance on defeating the crypto by, say, getting part of the key, or inserting trojans, or finding a password that isn’t changed regularly, or finding out how the passwords are constructed.
Links:
http://keepass.sourceforge.net/
http://passwordsafe.sourceforge.net/
http://truecrypt.sourceforge.net/
Don’t forget a secure passphrase!
http://www.stack.nl/~galactus/remailers/passphrase-faq.html
http://world.std.com/~reinhold/diceware.html
My apologies for Michael to spamming the board wih software–I’m not connected to any of it, I just happened to have been looking at a lot of it recently, and so have been pointing it out to other quasigeeks.
On the other hand, one gets the impression that government cracking technology available to civilian law enforcement has taken some leaps forward lately, which can only make you wonder what the NSA is holding back.
Are there particular stories that make you think that? I know that the semi-directed password searchers are improving, but to my mind that’s not “core cracking,” its just permutation engines.